(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property Organization 

International Bureau 

(43) International Publication Date 
30 May 2003 (30.05.2003) 




PCT 



(10) International Publication Number 

WO 03/044638 Al 



(51) International Patent Classification 7 : G06F 1/00 

(21) International Application Number: PCT/EP02/13067 

(22) International Filing Date: 

21 November 2002 (21.11.2002) 



(25) Filing Language: 

(26) Publication Language: 
(30) Priority Data: 



English 
English 



01127906.4 



23 November 2001 (23.1 1.2001) EP 



(71) Applicant (for all designated States except US): PRO- 
TEC RITY RESEARCH & DEVELOPMENT [SE/SE]; 
Expolaris Center, S-931 78 Skelleftea (SE). 

(72) Inventor; and 

(75) Inventor/Applicant (for US only): MATTSSON, Ulf 



[SE/US]; 1177 Summer Street, US-Stamford, CT 06905 
(US). 

(74) Agent: AWAPATENT AB; Box 11394, S-404 28 Gote- 
borg (SE). 

(81) Designated States (national): AE, AG, AL, AM, AT, AU, 
AZ, BA, BB, BG, BR, BY, BZ, CA, CH, CN, CO, CR, CU, 
CZ, DE, DK, DM, DZ, EC, EE, ES, FI, GB, GD, GE, GH, 
GM, HR, HU, ID, IL, IN, IS, JP, KE, KG, KP, KR, KZ, LC, 
LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, 
MX, MZ, NO, NZ, OM, PH, PL, FT, RO, RU, SC, SD, SE, 
SG, SI, SK, SL, TJ, TM, TN, TR, TT, TZ, UA, UG, US, 
UZ, VC, VN, YU, ZA, ZM, ZW. 

(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW), 
Eurasian patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), 
European patent (AT, BE, BG, CH, CY, CZ, DE, DK, EE, 
ES, FI, FR, GB, GR, IE, IT, LU, MC, NL, PT, SE, SK, 

[Continued on next page] 



= (54) Title: METHOD FOR INTRUSION DETECTION IN A DATABASE SYSTEM 



Receive reque st | 

— r — 



00 

o 

to 
o 

O 







. detected 




Jno 




Compare with 
inference pattern 




Intrusion ^\ 
^ detected 

\yes 




Alert ACS | 





Communicate 
result 



no 



-S4 



(57) Abstract: A method for detecting intrusion in a data- 
base, managed by an access control system, comprising 
defining at least one intrusion detection profile, each com- 
prising at least one item access rate and associating each 
user with one of said profiles. Further, the method de- 
termines whether a result of a query exceeds any one of 
the item access rates defined in the profile associated with 
the user, and, in that case, notifies the access control sys- 
tem to alter the user authorization, thereby making the re- 
ceived request an unauthorized request, before said result 
is transmitted to the user. The method allows for a real 
time prevention of intrusion by letting the intrusion detec- 
tion process interact directly with the access control sys- 
tem, and change the user authority dynamically as a result 
of the detected intrusion. 
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